Publications

Issue Archive

Formally Verifying Heart Pump Software with SPARK and Echo

Tuesday, 01 January 2013

Page 2 of 2

Model checking and static analysis techniques have been
successfully applied to some problems, and some of these techniques
scale well. However, their analysis targets only certain
properties. For critical applications, complete formal verification
of functionality is highly desirable.

The Echo approach is intended for routine use alongside
existing software development techniques and does not
require programmers to be skilled in mathematical logic or
formal verification techniques. To ease the burden of creating
proofs of correctness, the Echo process splits these into two
separate proofs.

A software developer using the Echo process first produces
both a formal specification and an annotated SPARK Ada program
using familiar, traditional software engineering techniques.
Using the SPARK tools, the developer establishes an
implementation proof showing that the SPARK Ada source
code complies with its annotations. Echo’s unique reverse synthesis
process then produces a high-level abstract extracted
specification. Finally, the developer establishes an implication
proof showing that the extracted specification implies the given
formal specification. Taken together, the implementation and
implication proofs form a complete proof of correctness.

The keys to the practicality of the Echo process are the use
of verification refactoring and the availability of a practical implementation proof pro cess. In verification
refactoring, the SPARK program is
subjected to user-selected machine
transformations. Software must run adequately
fast, but this speed often comes
at the cost of increased complexity. By
transforming the source code into a lesscomplicated
form with the same functional
semantics, verification refactoring
reduces the complexity of the extracted
specification. Re-rolling loops, splitting
procedures into simpler sub-procedures,
reversing function inlining, and adding
or removing intermediate computations
or storage will not change the program
behavior, but can dramatically ease the
creation of the required proofs.

The effect of verification refactoring
can be dramatic. In one study, Knight
and Yin formally verified a SPARK
implementation of the Advanced
Encryption Standard (AES). By adjusting
data structures and reversing table
lookups, the efficient implementation
to be verified was transformed to one
more amenable to formal verification.

While the Echo ap proach could, in theory,
be applied to programs written in any
language, SPARK offers a number of
advantages, specifically:

• The use of SPARK provides a powerful
programming language with associated
mechanism for low-level specification.
• SPARK precludes the use of language
features that would have made the
proofs — both the implementation
proof and the implication proof —
either extraordinarily difficult or more
likely impossible.
• The SPARK tools are robust and
mature, and they immediately support
the implementation proof that is a fundamental
part of the Echo approach.
• Production-quality compilers, such
as AdaCore’s GNAT-Pro High-In -
tegrity Edition, are available for
many platforms.

Conclusion

The LifeFlow LVAD software project
has implemented a control system for the
active magnetic bearings that the LVAD
uses. A complete verification proof
demonstrates that the SPARK implementation
refines the high-level PVS specification.
The implementation targets a highperformance
embedded microprocessor.
Since no operating system is used, almost
all the software that executes has been
the subject of formal verification. The
only unproven software items are the
assembly-language loader, implementations
of two low-level C functions called
by compiler-generated object code, and
the machine configuration parameters.

This article was written by John Knight, PhD,
Professor of Computer Science, University of
Virginia in Charlottesville, VA; Xiang Yin,
Senior Software Design Engineer, MicroStrategy,
Inc., Tysons Corner, VA; and Patrick John
Graydon, Research Associate, University of York,
York, UK.

Question of the Week

This week's Question: This month, the Federal Aviation Administration proposed long-awaited rules on the commercial use of small drones, requiring operators to be certified, fly only during daylight, and keep their aircraft in sight. The ruling,...